fix(#123): address all review findings from PR #129

MAJOR fixes:
- gitea/ipcheck.go: replace startup panic with init()+error list pattern
  Hard-coded CIDRs that fail to parse now recorded in blockedCIDRParseErrors
  instead of panicking. TestBlockedCIDRsValid catches programming errors
  in CI without violating CONVENTIONS.md 'never panic' rule.
- .gitea/actions/review/action.yml: re-validate SERVER_URL at start of
  'Install review-bot' step to close DNS rebinding window between
  'Determine version' and install-step curl calls.

MINOR fixes:
- gitea/client.go: add Timeout: 10*time.Second to net.Dialer per PLAN.md spec
- cmd/review-bot/validateurl.go: switch isValidateError to errors.As so
  wrapped *validateError values are also detected
- gitea/ipcheck_test.go: clarify 198.51.100.1 (RFC5737 TEST-NET-2) comment;
  add TestBlockedCIDRsValid to surface CIDR parse errors as test failures

NIT fixes:
- .gitea/actions/review/action.yml: refactor Python list comprehension in
  SSRF check to for-loop (avoids side-effect-only comprehension, runner compat)
- gitea/export_test.go: expand comment explaining white-box test pattern
  (why package gitea not gitea_test, Go stdlib precedent)

Remove PLAN.md (implementation complete)

gitea/ipcheck.go

@@ -8,55 +8,63 @@ import (
 	"net"
 )
 
-// blockedCIDRs is the list of CIDR ranges that should never be contacted by
-// review-bot. These ranges cover private, loopback, link-local, multicast,
-// and other special-use address spaces that are not reachable from the internet
-// but may be reachable from a self-hosted runner.
+// blockedCIDRStrings is the canonical list of CIDR strings that should never
+// be contacted by review-bot. See IsBlockedIP for the full list of covered
+// address families.
 //
-// Based on:
-//   - RFC1918 private ranges
-//   - RFC5735 / RFC4193 special-use IPv4/IPv6 ranges
-//   - RFC4291 IPv6 link-local / loopback
-var blockedCIDRs = func() []*net.IPNet {
-	ranges := []string{
-		// IPv4 loopback
-		"127.0.0.0/8",
-		// IPv4 unspecified / "this network"
-		"0.0.0.0/8",
-		// RFC1918 private ranges
-		"10.0.0.0/8",
-		"172.16.0.0/12",
-		"192.168.0.0/16",
-		// IPv4 link-local (APIPA, also used by AWS instance metadata 169.254.169.254)
-		"169.254.0.0/16",
-		// IPv4 shared address space (RFC6598, carrier-grade NAT)
-		"100.64.0.0/10",
-		// IPv4 multicast
-		"224.0.0.0/4",
-		// IPv4 reserved / broadcast
-		"240.0.0.0/4",
-		// IPv6 loopback
-		"::1/128",
-		// IPv6 unspecified
-		"::/128",
-		// IPv6 link-local
-		"fe80::/10",
-		// IPv6 unique local (ULA) — RFC4193
-		"fc00::/7",
-		// IPv6 multicast
-		"ff00::/8",
-	}
-	nets := make([]*net.IPNet, 0, len(ranges))
-	for _, r := range ranges {
+// These are hard-coded literals: any parse failure is a programming error.
+// Validity is verified by TestBlockedCIDRsValid in ipcheck_test.go.
+var blockedCIDRStrings = []string{
+	// IPv4 loopback
+	"127.0.0.0/8",
+	// IPv4 unspecified / "this network"
+	"0.0.0.0/8",
+	// RFC1918 private ranges
+	"10.0.0.0/8",
+	"172.16.0.0/12",
+	"192.168.0.0/16",
+	// IPv4 link-local (APIPA, also used by AWS instance metadata 169.254.169.254)
+	"169.254.0.0/16",
+	// IPv4 shared address space (RFC6598, carrier-grade NAT)
+	"100.64.0.0/10",
+	// IPv4 multicast
+	"224.0.0.0/4",
+	// IPv4 reserved / broadcast
+	"240.0.0.0/4",
+	// IPv6 loopback
+	"::1/128",
+	// IPv6 unspecified
+	"::/128",
+	// IPv6 link-local
+	"fe80::/10",
+	// IPv6 unique local (ULA) — RFC4193
+	"fc00::/7",
+	// IPv6 multicast
+	"ff00::/8",
+}
+
+// blockedCIDRs is the parsed form of blockedCIDRStrings.
+// Any entry that fails to parse is recorded in blockedCIDRParseErrors instead
+// of panicking; tests verify this slice is always empty via TestBlockedCIDRsValid.
+var (
+	blockedCIDRs           []*net.IPNet
+	blockedCIDRParseErrors []string
+)
+
+func init() {
+	blockedCIDRs = make([]*net.IPNet, 0, len(blockedCIDRStrings))
+	for _, r := range blockedCIDRStrings {
 		_, cidr, err := net.ParseCIDR(r)
 		if err != nil {
-			// This is a programming error — panic to catch it at startup/test time.
-			panic(fmt.Sprintf("ipcheck: invalid built-in CIDR %q: %v", r, err))
+			// Record the error rather than panicking; TestBlockedCIDRsValid
+			// will catch this during tests, and the CI build will fail.
+			blockedCIDRParseErrors = append(blockedCIDRParseErrors,
+				fmt.Sprintf("ipcheck: invalid built-in CIDR %q: %v", r, err))
+			continue
 		}
-		nets = append(nets, cidr)
+		blockedCIDRs = append(blockedCIDRs, cidr)
 	}
-	return nets
-}()
+}
 
 // IsBlockedIP reports whether ip is in a blocked address range.
 // It is exported for use by the validate-url subcommand and tests outside
@@ -64,6 +72,11 @@ var blockedCIDRs = func() []*net.IPNet {
 //
 // IPv6-mapped IPv4 addresses (e.g. ::ffff:192.168.1.1) are normalized to their
 // IPv4 form before checking so that IPv4 CIDRs catch them.
+//
+// Based on:
+//   - RFC1918 private ranges
+//   - RFC5735 / RFC4193 special-use IPv4/IPv6 ranges
+//   - RFC4291 IPv6 link-local / loopback
 func IsBlockedIP(ip net.IP) bool {
 	// Normalize IPv6-mapped IPv4 addresses (::ffff:x.x.x.x) to plain IPv4.
 	if v4 := ip.To4(); v4 != nil {